[Spice-devel] [PATCH 16/19] Make sure we can read QXLPathSeg structures
Frediano Ziglio
fziglio at redhat.com
Tue Oct 6 03:26:00 PDT 2015
start pointer points to a QXLPathSeg structure.
Before reading from the structure, make sure the structure is contained
in the memory range checked.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
---
server/red_parse_qxl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index f21bfa5..281faad 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
start = (QXLPathSeg*)data;
end = (QXLPathSeg*)(data + size);
- while (start < end) {
+ while (start+1 < end) {
n_segments++;
count = start->count;
segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
seg = (SpicePathSeg*)&red->segments[n_segments];
n_segments = 0;
mem_size2 = sizeof(*red);
- while (start < end) {
+ while (start+1 < end) {
red->segments[n_segments++] = seg;
count = start->count;
--
2.4.3
More information about the Spice-devel
mailing list